Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use cases fail to deploy due to a missing IAM permission #135

Closed
6 tasks
jamesnixon-aws opened this issue Aug 22, 2024 · 1 comment
Closed
6 tasks

Use cases fail to deploy due to a missing IAM permission #135

jamesnixon-aws opened this issue Aug 22, 2024 · 1 comment
Assignees
@jamesnixon-aws
Labels
bug Something isn't working

Comments

@jamesnixon-aws
Copy link
Member

Describe the bug
A recent service change in Cognito is causing deployment of use cases from the deployment dashboard to fail.
The use case management lambda, which backs the deployment API, assumes an IAM role with a policy allowing it to deploy use cases. This policy now requires the addition of the cognito-idp:GetGroup action.

To Reproduce

  • Deploy a use case from the deployment dashboard
  • Observe a failure response

Expected behavior
Deployments of use cases should succeed when performed from the deployment dashboard/via the API.

Please complete the following information about the solution:

  • Version: v2.0.1

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0276) - Generative AI Application Builder on AWS Solution. Version v1.0.0".

  • Region: [us-west-2, us-east-1]
  • Was the solution modified from the version published on this repository? No
  • If the answer to the previous question was yes, are the changes available on GitHub? N/A
  • Have you checked your service quotas for the sevices this solution uses? Yes
  • Were there any errors in the CloudWatch Logs? Yes, error from the use case management lambda reads as follows:
Resource handler returned message: "User: arn:aws:sts::<redacted>:assumed-role/GAAB-UseCaseManagementSetupUseCase-UCMLRole389A579A-h1Yz0fQLOd16/GAAB-UseCaseManagementSetupUse-UseCaseMgmtFA52D6EF-d8pl21hV4vHW is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:us-west-2:<redacted>:userpool/us-west-2_<redacted> because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: <redacted>)" (RequestToken: <redacted>, HandlerErrorCode: GeneralServiceException)
@jamesnixon-aws jamesnixon-aws added the bug Something isn't working label Aug 22, 2024
@jamesnixon-aws jamesnixon-aws self-assigned this Aug 22, 2024
@jamesnixon-aws jamesnixon-aws mentioned this issue Aug 23, 2024
Merged
tabdunabi pushed a commit that referenced this issue Aug 23, 2024
@jamesnixon-aws
Updates for release v2.0.2
1189302 
### Fixed
- Issue [#135](#135) Added a new IAM permission for the cognito-idp:GetGroup action to the CloudFormation deployment role (used when deploying use cases). This was required due to a service change.
@tabdunabi tabdunabi mentioned this issue Aug 23, 2024
Merged
tabdunabi added a commit that referenced this issue Aug 23, 2024
@tabdunabi @jamesnixon-aws
Updates for release v2.0.2
019a9cd 
### Fixed
- Issue [#135](#135) Added a new IAM permission for the cognito-idp:GetGroup action to the CloudFormation deployment role (used when deploying use cases). This was required due to a service change.

Co-authored-by: James Nixon <[email protected]>
@tabdunabi
Copy link
Member

This issue has been fixed in GAAB v2.0.2, published on August 23, 2024.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jamesnixon-aws jamesnixon-aws

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tabdunabi @jamesnixon-aws